Skip to main content
Dark background with blue code overlay

Lateral Movement Explained

What is lateral movement?

Lateral movement is the set of techniques that attackers use to gain access to additional assets after they have initially penetrated network defenses. After initial access and landing within a data center or IT environment, cybercriminals use stolen login credentials (obtained via credential theft or phishing attacks) to impersonate legitimate users, moving more deeply into systems to access sensitive data, intellectual property, and other high-value assets.

The danger of lateral movement attacks

As the landscape of cyberthreats continues to evolve, IT cybersecurity teams remain focused on preventing breaches from penetrating network defenses. But many teams also recognize that not all breaches can be prevented. In fact, when it comes to experiencing a cyberattack, it’s more a matter of “when” rather than “if.” 

That’s why savvy organizations today are also focused on detecting breaches quickly and minimizing the damage they can cause. In some ways, this is a bigger challenge, since it requires network security teams to monitor the vast amount of east-west traffic within a network, looking for signs of lateral movement that indicate potential malicious activity. Most organizations, however, have little visibility into east-west network traffic, especially if they are relying on traditional technologies like legacy firewalls for application control and application allowlisting.

Akamai can help. Our solution provides tools for deep visibility, microsegmentation, and threat intelligence that can help you quickly detect lateral movement, reduce your attack surface, and minimize the impact of cyberattacks and advanced persistent threats.

This diagram illustrates how microsegmentation techniques are used to divide a network into secure units to prevent lateral movement (or east-west traffic).

How do lateral movement attacks work? 

Lateral movement is the series of steps taken by attackers who have already gained access to a trusted environment and who are looking for high-value assets. Once inside the network, attackers identify the most vulnerable or valuable assets and take steps to reach them by expanding their level of access. 

This type of lateral movement usually starts with infecting or compromising a data center or cloud node using stolen credentials. From that point, attackers use a variety of techniques to probe the network, nodes, and applications, looking for vulnerabilities to exploit and misconfigurations that allow them to move successfully to their next target, often with stolen credentials obtained through phishing emails or credential dumping.

When done effectively, lateral movement can be extremely difficult for IT teams to detect, as the activity blends in with large volumes of legitimate east-west traffic. As attackers learn more about how legitimate traffic flows within the environment, they have an easier time masquerading their lateral movement as sanctioned activities. This difficulty in detecting lateral movement allows security breaches to escalate quickly to devastating proportions.

To stop lateral movement attacks, cybersecurity teams need three critical capabilities. They must be able to visualize east-west traffic in real time and on a historical basis, allowing them to identify potential malicious activity more easily. They can also use microsegmentation security solutions to apply network hierarchies, and workload- and process-level security controls to critical assets, blocking attempts at lateral movement. And they can use deception technology to redirect suspicious behavior to high-interaction deception engines, where IT teams can learn more about the lateral movement attack for threat hunting and how to craft better security policies to prevent it.

Visualizing east-west traffic

Organizations seeking more proactive lateral movement security can begin by visualizing the east-west traffic in their environment. Once a clear baseline of sanctioned east-west traffic is established and viewable on a real-time and historical basis, it becomes much easier to identify unsanctioned lateral movement attempts.

This is one of the flagship capabilities of Akamai’s solution. Akamai Guardicore Segmentation technology uses network and host-based sensors to collect detailed information about assets and flows in data center, cloud, and hybrid environments, combines this information with available naming labeling (naming convention) information from orchestration tools, and displays a visual representation of east-west traffic in the environment.

How does lateral movement control fit within a Zero Trust security strategy?

Rather than a technology or product, Zero Trust is a framework for understanding security. It provides CISOs and other security leaders with a strategic, architectural approach to a more rigorous security strategy posture that helps prepare their organizations for a landscape of escalating risk.

A Zero Trust architecture abandons the idea of a trusted network within a defined perimeter. The goal is to minimize the attack surface and prevent the kind of lateral movement throughout a network that so many cyberattacks rely on. When a breach or data exfiltration occurs, a Zero Trust architecture will prevent intruders from moving laterally to easily access other systems or sensitive data. This approach supports new business and operational models that require speed and flexibility. And it facilitates compliance with regulations that require stronger protection of consumer data and separation of critical and non-critical assets.

To successfully implement a Zero Trust model, security teams need two fundamental capabilities: total visibility into their internal network environments, and segmentation capabilities that let them quickly and efficiently create microperimeters around critical assets. Comprehensive visibility is essential to developing the understanding of application dependencies and traffic flows on which security policies should be based. And fast and efficient segmentation capabilities are required to adapt to changing business requirements and complex, dynamic, hybrid data center environments. Traditional security approaches that are primarily focused on external threats fall short on both of these capabilities.

Detecting lateral movement with Akamai Guardicore technology

Our solution delivers a single, scalable platform that provides all the capabilities you need to detect lateral movement and neutralize attacks like ransomware and advanced persistent threats. With real-time threat detection and response capabilities, our solution makes it easy to detect lateral movement techniques and minimize dwell time throughout the entire cyberattack kill chain.

Our solution is a software-based network segmentation solution that lets you achieve higher levels of security more quickly, easily, and cost-effectively. Unlike legacy firewalls and VLANs, our solution provides deep visibility into application dependencies and flows so you can understand more easily what’s happening in your environment. Because our technology is decoupled from the physical network, you can swiftly apply microsegmentation and privileged access policies to protect critical IT assets from lateral movement no matter where they reside — on-premises, in the cloud, or in hybrid infrastructure.

Address lateral movement

Akamai offers significant advantages over other security technology when it comes to detecting and stopping lateral movement.

Achieve greater visibility

With process-level enforcement of microsegmentation policies, Akamai can easily detect, alert, and block unauthorized processes from accessing critical IT assets. The result is a much smaller attack surface that limits lateral movement.

Minimize dwell time

Our solution discovers malicious activity earlier in the kill chain to prevent attackers from using lateral movement to spread throughout an environment. Akamai delivers details on threat actors, apps, brute-force attempts, and attackers’ tools and techniques that can help incident response teams to prioritize investigation and reduce dwell time.

Accelerate incident response

Our solution can automatically export indicators of compromise to security gateways and SIEM. Our platform provides a single-click update to segmentation policies to remediate traffic violations. And security teams can trigger actions on VMs to prevent the spread of damage from ransomware attacks.

Improve threat intelligence

Our solution provides intelligence into threats so security teams can refine segmentation policy. Akamai Guardicore Segmentation collects the entire attack footprint, including files and tools being used and uploaded. Deep forensics help expose user credentials, attack methods, propagation tactics, and more.

Disrupt attackers with deception

High-interaction deception on the solution platform can disrupt attackers and capture attack details. Akamai Guardicore Segmentation uses reputation analysis to detect suspicious domain names, IP addresses, and file hashes within traffic flows.

Why customers choose Akamai

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.

Explore all Akamai security solutions